CVE-2013-2275

Overview

CVE-2013-2275 (Incorrect Default Report ACL Vulnerability)

  • Posted March 12, 2013

    • This vulnerability affects puppet masters 0.25.0 and above. By default, auth.conf allows any authenticated node to submit a report for any other node. This can cause issues with compliance. The defaults in auth.conf have been changed as follows: Previous setting: # allow all nodes to store their reports path /report method save allow * Revised setting: # allow all nodes to store their reports path ~ ^/report/([^/]+)$ method save allow $1

    Status

    • Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2